Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection

Asbat El Khairi; Marco Caselli; Christian Knierim; Andreas Peter; Andrea Continella

doi:10.1145/3560810.3564266

Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection

Asbat El Khairi, Marco Caselli, Christian Knierim, Andreas Peter, Andrea Continella

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

9 Citations (Scopus)

95 Downloads (Pure)

Abstract

Container technology has gained ground in the industry for its scalability and lightweight virtualization, especially in cloud environments. Nevertheless, research has shown that containerized applications are an appealing target for cyberattacks, which may lead to interruption of business-critical services and financial damage. State-of-the-art anomaly-based host intrusion detection systems (HIDS) may enhance container runtime security. However, they were not designed to deal with the characteristics of containerized environments. Specifically, they cannot effectively cope with the scalability of containers and the diversity of anomalies. To address these challenges, we introduce a novel anomaly-based HIDS that relies on monitoring heterogeneous properties of system calls. Our key idea is that anomalies can be accurately detected when those properties are examined jointly within their context. To this end, we model system calls leveraging a graph-based structure that emphasizes their dependencies within their relative context, allowing us to precisely discern between normal and malicious activities. We evaluate our approach on two datasets of 20 different attack scenarios containing 11,700 normal and 1,980 attack system call traces. The achieved results show that our solution effectively detects various anomalies with reasonable runtime overhead, outperforming state-of-the-art tools.

Original language	English
Title of host publication	CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022
Publisher	Association for Computing Machinery
Pages	9-21
Number of pages	13
ISBN (Print)	978-1-4503-9875-6
DOIs	https://doi.org/10.1145/3560810.3564266
Publication status	Published - 7 Nov 2022
Event	ACM Cloud Computing Security Workshop, CCSW 2022 - Los Angeles, United States Duration: 7 Nov 2022 → 7 Nov 2022

Conference

Conference	ACM Cloud Computing Security Workshop, CCSW 2022
Abbreviated title	CCSW 2022
Country/Territory	United States
City	Los Angeles
Period	7/11/22 → 7/11/22

Keywords

Cybersecurity

Access to Document

10.1145/3560810.3564266Licence: CC BY

ArticleFinal published version, 1.38 MBLicence: CC BY

Cite this

@inproceedings{83cab28edb764deeb25965b24f1d77eb,

title = "Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection",

abstract = "Container technology has gained ground in the industry for its scalability and lightweight virtualization, especially in cloud environments. Nevertheless, research has shown that containerized applications are an appealing target for cyberattacks, which may lead to interruption of business-critical services and financial damage. State-of-the-art anomaly-based host intrusion detection systems (HIDS) may enhance container runtime security. However, they were not designed to deal with the characteristics of containerized environments. Specifically, they cannot effectively cope with the scalability of containers and the diversity of anomalies. To address these challenges, we introduce a novel anomaly-based HIDS that relies on monitoring heterogeneous properties of system calls. Our key idea is that anomalies can be accurately detected when those properties are examined jointly within their context. To this end, we model system calls leveraging a graph-based structure that emphasizes their dependencies within their relative context, allowing us to precisely discern between normal and malicious activities. We evaluate our approach on two datasets of 20 different attack scenarios containing 11,700 normal and 1,980 attack system call traces. The achieved results show that our solution effectively detects various anomalies with reasonable runtime overhead, outperforming state-of-the-art tools.",

keywords = "Cybersecurity",

author = "Khairi, {Asbat El} and Marco Caselli and Christian Knierim and Andreas Peter and Andrea Continella",

note = "Funding Information: We would like to thank our reviewers for their valuable comments and inputs to improve our paper. Part of this work has received funding from the European Union's Horizon 2020 research and innovation program under Grant Agreement No. 830927. Any views, results, findings, or recommendations communicated in this material are those of the authors or originators and do not necessarily reflect the sponsors' standpoints. Funding Information: We would like to thank our reviewers for their valuable comments and inputs to improve our paper. Part of this work has received funding from the European Union{\textquoteright}s Horizon 2020 research and innovation program under Grant Agreement No. 830927. Any views, results, findings, or recommendations communicated in this material are those of the authors or originators and do not necessarily reflect the sponsors{\textquoteright} standpoints. Publisher Copyright: {\textcopyright} 2022 Owner/Author.; ACM Cloud Computing Security Workshop, CCSW 2022, CCSW 2022 ; Conference date: 07-11-2022 Through 07-11-2022",

year = "2022",

month = nov,

day = "7",

doi = "10.1145/3560810.3564266",

language = "English",

isbn = "978-1-4503-9875-6",

pages = "9--21",

booktitle = "CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022",

publisher = "Association for Computing Machinery",

address = "United States",

}

Khairi, AE, Caselli, M, Knierim, C, Peter, A & Continella, A 2022, Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection. in CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022. Association for Computing Machinery, pp. 9-21, ACM Cloud Computing Security Workshop, CCSW 2022, Los Angeles, California, United States, 7/11/22. https://doi.org/10.1145/3560810.3564266

Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection. / Khairi, Asbat El; Caselli, Marco; Knierim, Christian et al.
CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022. Association for Computing Machinery, 2022. p. 9-21.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection

AU - Khairi, Asbat El

AU - Caselli, Marco

AU - Knierim, Christian

AU - Peter, Andreas

AU - Continella, Andrea

N1 - Funding Information: We would like to thank our reviewers for their valuable comments and inputs to improve our paper. Part of this work has received funding from the European Union's Horizon 2020 research and innovation program under Grant Agreement No. 830927. Any views, results, findings, or recommendations communicated in this material are those of the authors or originators and do not necessarily reflect the sponsors' standpoints. Funding Information: We would like to thank our reviewers for their valuable comments and inputs to improve our paper. Part of this work has received funding from the European Union’s Horizon 2020 research and innovation program under Grant Agreement No. 830927. Any views, results, findings, or recommendations communicated in this material are those of the authors or originators and do not necessarily reflect the sponsors’ standpoints. Publisher Copyright: © 2022 Owner/Author.

PY - 2022/11/7

Y1 - 2022/11/7

N2 - Container technology has gained ground in the industry for its scalability and lightweight virtualization, especially in cloud environments. Nevertheless, research has shown that containerized applications are an appealing target for cyberattacks, which may lead to interruption of business-critical services and financial damage. State-of-the-art anomaly-based host intrusion detection systems (HIDS) may enhance container runtime security. However, they were not designed to deal with the characteristics of containerized environments. Specifically, they cannot effectively cope with the scalability of containers and the diversity of anomalies. To address these challenges, we introduce a novel anomaly-based HIDS that relies on monitoring heterogeneous properties of system calls. Our key idea is that anomalies can be accurately detected when those properties are examined jointly within their context. To this end, we model system calls leveraging a graph-based structure that emphasizes their dependencies within their relative context, allowing us to precisely discern between normal and malicious activities. We evaluate our approach on two datasets of 20 different attack scenarios containing 11,700 normal and 1,980 attack system call traces. The achieved results show that our solution effectively detects various anomalies with reasonable runtime overhead, outperforming state-of-the-art tools.

AB - Container technology has gained ground in the industry for its scalability and lightweight virtualization, especially in cloud environments. Nevertheless, research has shown that containerized applications are an appealing target for cyberattacks, which may lead to interruption of business-critical services and financial damage. State-of-the-art anomaly-based host intrusion detection systems (HIDS) may enhance container runtime security. However, they were not designed to deal with the characteristics of containerized environments. Specifically, they cannot effectively cope with the scalability of containers and the diversity of anomalies. To address these challenges, we introduce a novel anomaly-based HIDS that relies on monitoring heterogeneous properties of system calls. Our key idea is that anomalies can be accurately detected when those properties are examined jointly within their context. To this end, we model system calls leveraging a graph-based structure that emphasizes their dependencies within their relative context, allowing us to precisely discern between normal and malicious activities. We evaluate our approach on two datasets of 20 different attack scenarios containing 11,700 normal and 1,980 attack system call traces. The achieved results show that our solution effectively detects various anomalies with reasonable runtime overhead, outperforming state-of-the-art tools.

KW - Cybersecurity

U2 - 10.1145/3560810.3564266

DO - 10.1145/3560810.3564266

M3 - Conference contribution

SN - 978-1-4503-9875-6

SP - 9

EP - 21

BT - CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022

PB - Association for Computing Machinery

T2 - ACM Cloud Computing Security Workshop, CCSW 2022

Y2 - 7 November 2022 through 7 November 2022

ER -

Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this